Check: WIR-MOS-AND-006-01
Android 2.2 (Dell) STIG:
WIR-MOS-AND-006-01
(in version v1 r2)
Title
All non-core applications on the mobile OS device must be approved by the DAA or Command IT Configuration Control Board. (Cat I impact)
Discussion
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).
Check Content
Detailed Requirements: Core applications are applications included in the mobile Operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the mobile OS device must be approved by the DAA or the Command IT Configuration Control Board. Approval must be documented in some type of approval (memo, letter, etc.). Check Procedures: Review the procedures the site or command uses to review and approve third-party applications used on managed Android devices. Have the IAO or DAA representative provide a copy of the application review. Second, select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card. --Have the user log into the device. Go to Settings > Applications > Manage applications. To view the list of applications on the smartphone select “All.”. To view a list of applications on the SD media card select “On SD card.”. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core Android Apps can be found in the STIG Configuration Tables document. Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in Android for the application).
Fix Text
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.
Additional Identifiers
Rule ID: SV-35015r1_rule
Vulnerability ID: V-24986
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |